Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

03. CISM - Chapter 3 - Information Security Risk Assessment > 01. Emerging Risk and Threat Landscape > Flashcards

01. Emerging Risk and Threat Landscape Flashcards

1
Q

Emerging Risk and Threat Landscape

What is the fundamental undertaking for any organisation that desires to be reasonablly aware of risks

A

Risk Management

120

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Emerging Risk and Threat Landscape

Risks that are not identified or monitored could result in these 3 things being Jeopardised

  1. U ____ B ____ L ____
  2. L ____ of L ____
  3. S ____ of the business
A
  1. Unexpected business losses
  2. Loss of life
  3. Survival of the business

120

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The Importance of Risk Management

Risk management represents time proven methods and techniques used in;

  1. I ____ risks
  2. Understand P____ of occurance
  3. Understand potential I____
  4. Make D____ about risks based on established criteria
  5. M____ key attributes of security and risk
  6. Produce long term trend R____ to executive management
A
  1. Identify
  2. Proability
  3. Impact
  4. Decisions
  5. Measure
  6. Reporting

120

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The Importance of Risk Management

The effectiveness of a risk management program is largely dependent on two factors

  1. S ____ from ____
  2. O ____ C ____
A
  1. Support from executive management
  2. Organisational culture

121

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The Importance of Risk Management

Risk management is based on several factors

A
  1. Culture
  2. Mission, objectives, and goals
  3. Management Structure
  4. Management Support
  5. Industry sector
  6. Market conditions
  7. Applicable laws, regulations, and other legal obligations
  8. Stated or unstated risk tolerance
  9. Financial health
  10. Operating locations

121

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Outcomes of Risk Management

An organisation that implements an effective risk management program will have heightened awareness of

A

Use of technology, and how it can impact the business

121

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Outcomes of Risk Management

The greatest benefit an organisation can derived from an effective risk management program in relation to security incidents

A

Lower probability of security incidents
Those that do occur, a better prepared state, reducing impact

121

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Risk Objectives

A vital part of risk management strategy development is the determination of desired…

A

Risk Level

121

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Risk Objectives

One important input into risk management strategy development

A

Understanding current level of risk and desired future state

121

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Risk Management Technologies

See Risk Management Technologies Cards
LINK

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Risk Management Technologies

Organisations without effective risk management programs often acquire technologies without first..

A

Identifying specific, relevent risks and do so based on;

  1. Salespeople (false claims)
  2. Security managers of other organisations
  3. Articles in trade publications

122

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Implementing a Risk Management Program

There are several risk management frameworks to choose from which share the common principles

A
  1. RIsk management being a life cycle process
  2. period assement requirements
  3. Aim for continuous improvement

123

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Implementing a Risk Management Program

Applying a risk management framework in an organisation will require an understanding of the organisations…

A
  1. Mission
  2. Objectives
  3. Strategies
  4. Cultures
  5. Practices
  6. Structure
  7. Financial condition
  8. Risk Appetite
  9. Level of executive management support

123

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Implementing a Risk Management Program

Enterprise Risk Management (ERM) and Information Risk Management programs share concepts and techniques

A

They often work together, but deal with different subject matter

123

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Risk Management Strategy

The objective of a risk management strategy is to…

A

Identify all credible risks and reduce them to an acceptable level

123

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Risk Management Strategy

The acceptable level of risk is generally related to…

A
  1. Executive management risk appetite
  2. Organisations ability to absorb losses (and ability to build defences)
  3. Regulatory and legal requirements

124

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Risk Management Strategy

The primary means of mitigating risks by ensuring desired outcomes

A

Controls

124

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Risk Management Strategy

A key objective of a risk management strategist in organisations with smaller pockets of risk management programs or an Enterprise Risk Management program

A

Alignment

124

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Risk Management Strategy

Key internal and external factors will govern the implementation of risk management objectives

A
  1. Culture
  2. Organisational Maturity
  3. Management structure
  4. Management support
  5. Market conditions
  6. Regulatory and Legal requirements

124

20
Q

Risk Management Strategy

The most important factor that will enable or contrain security managers as they develop a risk management strategy

A

Development of key relationships throughout the organisation

124

21
Q

Risk Communication

Risk management must be introduced to the organisations key stake holders, and not work in secrecy, to help them understand…

A

The role of risk management in the organisation and the role they will play to help the program achieve its objectives

124

22
Q

Risk Communication

Communication channels should be open at all times and operate in..

A

all directions

125

23
Q

Risk Communication

Successful information risk programs operate through transparency. Information about risks should be…

A

readily available to all board members, executives, stakeholders, and risk owners

125

24
Q

Risk Awareness

A goal of risk awareness is to ensure business leaders and decision makers understand business decisions have a risk component. Formal information risk management programs will include..

A

Processes and techniques for making risk-aware decisions

125

25
Q

Risk Awareness

There is an overlap in content and audience of security awareness and risk awareness.
1. Security awareness applies to…
2. Risk awareness encompasses…

A
  1. Entire organisations
  2. Senior personnel involved in risk management

125

26
Q

Risk Consulting

Security managers are often seen to play the role of security and risk consultant. They are regarded as technology risk experts who..

A

are available to consult with on a wide variety of issues

125

27
Q

Risk Consulting

Key attributes to make a good information risk consultant

A
  1. Ability to listen to business leaders and understand what was requested
  2. Ability to assess information and understand its impact on process or business
  3. Have a holistic understanding of the business

125

28
Q

Risk Management Frameworks

When building an information risk management program, the security manager needs to develop…

A
  1. Processes and procedures
  2. Roles and responsibilities
  3. Templates for business records

125

29
Q

Risk Management Frameworks

High quality industry risk management frameworks

A
  1. ISO/IEC 27001
  2. ISO/IEC 27005
  3. ISO/IEC 31010
  4. NIST SP 800-37
  5. NIST SP 800-39
  6. COBIT 2019
  7. Risk IT Framework
  8. RIMS Risk Maturity Model

126

30
Q

Risk Management Frameworks

Risk managers can take 2 main approaches when considering existing frameworks

A
  1. Use a single framework that best aligns to the business
  2. Use elements from one or more frameworks to build an organisation risk management program

126

31
Q

Risk Framework Components

Risk management frameworks have a common core set of components

A
  1. Program scope
  2. Information risk objectives
  3. Information risk policy
  4. Risk appetite/tolerance
  5. Roles and responsibilities
  6. Risk management life-cycle process
  7. Risk management documentation
  8. Management review

126

32
Q

Integration into the environment

To be effective, the risk management program needs to..

A

Fit into and align with the organisations existing policies, processes, and systems and to minimise the impact to the organisation

126

33
Q

Risk Management Context

The security manager and executive management must define…

A

the boundaries within which the risk management program will operate

  • Business units, lines of business, locations and regions
  • Participants and stakeholders
  • Roles and responsibilities
  • Risk appetite and tolerance

127

34
Q

Three levels of risk management

Risk management is best divided into three tiers

Multitier Risk Management

A
  1. Enterprise-level risks
  2. Process-level risks
  3. Asse-level risks

  1. Generall risks associated with organisation culture and management. Risks typically conceptual in nature. ERM - Enterprise Risk Management
  2. Usually associated with effectiveness of business processes, typically those that affect cybersecurity posture.
  3. Risks associated with individual systems or small groups of systems.

128

35
Q

Three levels of risk management

Risks at one tier sometimes inform adjacent risks. A surge in asset level risks may indicate defects in process level risks.

A
36
Q

Gap Analysis

When a security manager is developing actual plans for implementing components of the information risk management program, they must understand the current state of the program. They should conduct a gap analysis to..

A

determine which elements of the current state remain, can be disgarded, or should be replaced

129

37
Q

External Support

External sources of information and expertise that a security manager can lean on when developing the risk management program

A
  1. Consultants
  2. Security round tables
  3. Organisation chapters
  4. Published information risk management practices
  5. Security industry news sources
  6. Research organisation reports
  7. Advisory services
  8. Training
  9. Books
  10. Conferences
  11. Intelligence services

130/131

38
Q

Risk Management Lifecycle

Risk management is a cyclical process and formally defined in policy and process documents that define…

Risk Management Lifecycle

A
  1. Scope
  2. Roles and responsibilities
  3. Workflow
  4. Business rules
  5. Business records

132

39
Q

Risk Management Lifecycle

Information risk management reslies upon risk assessments that consider..

A

Valid threats against the organisations assets, considering any present vulnerabilities

132

40
Q

Risk Management Lifecycle

Risk treatment decisions about risks are made after weighing various risk treatment options. These decisions are typically made by..

A

a business owner associated with the affected business activity

132

41
Q

The Risk Management Process

The risk management process consists of a set of structued activities that enable an organisation to manage risks systematically

A
  1. Scope definition
  2. Asset identification and valuation
  3. Risk appetite
  4. Risk identification
  5. Risk analysis
  6. Risk treatment
  7. Risk communication

132/133

42
Q

The Risk Management Process

Risk Identification:
The organisation identifies a risk that comes from one of several sources including…

A
  1. Risk assessment
  2. Vulnerability assessment
  3. Threat advisory
  4. Risk analysis

  1. An overall or focused risk assessment
  2. Security scans, pentest, source code scan
  3. Advisory from product vendor, threat intelligence feed, or news story
  4. Analysis of a risk may uncover other associated risks

132

43
Q

The Risk Management Process

Risk analysis:
Risk analysis determines several characteristics..

A
  1. Proability of event occurrance
  2. Impact of event occurance
  3. Mitigation
  4. Recommendation

  1. Calculating the likelihood that an event associated with a risk will occur
  2. Determine the impact of each given risk. Can be evaluated qualitatively (high, medium, low) or quantitiatively (dolar value)
  3. Determines different methods and techniques (and possibly each associated cost) of risk mitigation
  4. Developed recommended course of action

133

44
Q

The Risk Management Process

Risk treatment:
An individual decision maker or committee will make a decision about specific risk

A
  1. Accept
  2. Mitigate
  3. Transfer
  4. Avoid

  1. No action is taken
  2. Implement or take some form of action that serves to reduce the probability or impact of the risk occurrance
  3. Typically involves taking out an insurance policy
  4. Discontinuing the activity or technology associated with the risk

133

45
Q

The Risk Management Process

A risk register is the primary business record used by most risk management programs. It will typically contain

A
  1. Description of the risk
  2. Level and type of risk
  3. Information relating to risk treatment options

133

46
Q
A

03. CISM - Chapter 3 - Information Security Risk Assessment (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions